Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I must not be understanding something...

Does this still allow whitelisted machines to connect, or is this just a troll thing to do?



This will not allow any machine to connect on the port it's listening on.

The idea is that you set Endlessh on your server's port 22 (standard SSH port), then configure "actual" SSH to listen on a different (randomly selected) port. You connect to that port to get stuff done. Bots that troll for connections on port 22 will get stuck on port 22.


The idea is that you run your real SSH server somewhere else, like on a different port. If you scroll down a little (like, skim over the article) you see some example code that is basically the entire server. It's just a few lines of code, there is no real SSH implementation in this thing. And that's the whole idea: it can't really be hacked and it thwarts attackers.


I could see a few ways to use this. For me, what makes sense for my public sftp servers is to put this on a higher port, then use ipset lists to dynamically add bots to a DNAT rule and send them to this instead of the proper sshd.

i.e. you get 2 chances to authenticate correctly, then I put you in this hamster wheel for a day. Hamster wheels and intermittent fasting are all the rage these days.


I was thinking of something similar, but in reverse -- turn this into part tarpit, part honeypot.

I was thinking I could take the IP address of anyone who hangs out in the tarpit for longer than a minute or so and automatically add it to my firewall's blacklist.


I used to run an honeypot.

For fun and giggles, I also kept the user and password they tried to see if any of my systems was at risk


Presumably legitimate access would be on port 22, whereas only bots would hit 2222.


almost, but backwards. The bots all know port 22. Only you know which random other port is the real ssh port.


And the second guess would be port 2222, so don't use it for a real ssh server!


I suspect that bots that randomly scan IP addresses for vulnerable hosts don't bother trying anything besides 22. I've been running my sshd on port 622 for a long time and I never get fishy connections (while I'd get at least one a week on port 22).

On the other hand a dedicated attacker who really wants to pwn your server will just scan all the ports and figure out what is listening and where. At this point you're better off implementing some form of port knocking if that's a cause for concern.

That being said, running sshd on port 2222 is probably not a good idea because it's not a privileged port.


Every machine I control has sshd listening on port 222 for that last reason.


I use 12345 as my SSH port (not really)


Yes, it's just a troll thing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: